Today’s iOS 11 Update Fixes Persistent Denial-of-Service, Unencrypted Backup & Several Other Security Issues
Apple has today officially released its latest generation of mobile operating system, the iOS 11. Today’s release is a major update in terms of several features that will take the iOS world by a storm. (I’m going crazy over the screen recorder – I know, Androiders are laughing at us all…) You can read all about iOS 11 in our in-depth review of the operating system. But, if the feature-packed update isn’t enough to push you to hit that install button, you have another reason to install it ASAP.
Apple iOS 11 security updates
Today’s update brings a number of fixes to security vulnerabilities, making iOS 11 a must-update for your devices. While we may like to delay an update as downloading an annual update right after its release is nothing short of a headache, you might be in for more troubles if you delay installing iOS 11.
iOS 11 security bulletin isn’t a large one comparing to the last public release, but it does fix some critical issues in the operating system. Apple doesn’t rate its vulnerabilities like other tech companies, but vulnerabilities that enable backup to “perform an unencrypted backup despite a requirement to perform only encrypted backups” could be a disaster for the users.
Here are all the security issues that Apple has fixed with iOS 11.
Exchange ActiveSync
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: An attacker in a privileged network position may be able to erase a device during Exchange account setup
Description: A validation issue existed in AutoDiscover V1. This issue was addressed through requiring TLS.
CVE-2017-7088: Ilya Nesterov, Maxim Goncharov
iBooks
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: Parsing a maliciously crafted iBooks file may lead to a persistent denial-of-service
Description: Multiple denial of service issues were addressed through improved memory handling.
CVE-2017-7072: Jędrzej Krysztofiak
Mail MessageUI
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: Processing a maliciously crafted image may lead to a denial of service
Description: A memory corruption issue was addressed with improved validation.
CVE-2017-7097: Xinshu Dong and Jun Hao Tan of Anquan Capital
Messages
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: Processing a maliciously crafted image may lead to a denial of service
Description: A denial of service issue was addressed through improved validation.
CVE-2017-7118: Kiki Jiang and Jason Tokoph
MobileBackup
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: Backup may perform an unencrypted backup despite a requirement to perform only encrypted backups
Description: A permissions issue existed. This issue was addressed with improved permission validation.
CVE-2017-7133: Don Sparks of HackediOS.com
Safari
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: Visiting a malicious website may lead to address bar spoofing
Description: An inconsistent user interface issue was addressed with improved state management.
CVE-2017-7085: xisigr of Tencent’s Xuanwu Lab (tencent.com)
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: Visiting a malicious website may lead to address bar spoofing
Description: An inconsistent user interface issue was addressed with improved state management.
CVE-2017-7106: Oliver Paukstadt of Thinking Objects GmbH (to.com)
WebKit
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: A logic issue existed in the handling of the parent-tab. This issue was addressed with improved state management.
CVE-2017-7089: Frans Rosén of Detectify, Anton Lopanitsyn of ONSEC
